Cisco Warns of Critical Flaw in CloudCenter Orchestrator Systems

Cisco Systems released a critical security bulletin for a vulnerability that could allow an attacker to gain root privileges on affected CloudCenter Orchestrator systems. The company released workaround instructions to mitigate the flaw along with making a software fix available for download.

“The vulnerability is due to a misconfiguration that causes the Docker Engine management port to be reachable outside of the CloudCenter Orchestrator system. An attacker could exploit this vulnerability by loading Docker containers on the affected system with arbitrary privileges,” according to the bulletin.

Cisco’s CloudCenter Orchestrator system is a cloud management platform for deploying and managing applications on a variety of datacenters or cloud services. Docker is the open-source project that automates the deployment of Linux applications inside software containers that can run code, system tools and host system libraries.

“(The) vulnerability in the Docker Engine configuration of Cisco CloudCenter Orchestrator (CCO; formerly CliQr) could allow an unauthenticated, remote attacker to install Docker containers with high privileges on the affected system,” Cisco describes.

Impacted are all releases of Cisco CloudCenter Orchestrator deployments where the Docker Engine TCP port 2375 is open on the system and bound to local address 0.0.0.0 (any interface), Cisco said. “Administrator can log in to the CCO and issue the netstat -ant | grep 2375 command to determine if the port is open and bound to 0.0.0.0 local address.”

The bulletin advises administrators to verify if malicious Docker containers reside on their systems by using the “docker images” command to list all the installed containers on a system. Malicious containers, Cisco said, will be identified as “badcontainer.”

“Because this vulnerability may allow access to the Cisco CCO software with root privileges, additional indicator of compromise may be present depending on the goal of the malicious actor,” Cisco said.

Workaround instructions and a link to a software fix are both available at the security advisory. One of those workarounds includes restricting the Docker Engine port to bind to localhost (127.0.0.1).